Bug 2278979 - Declare ports 80/udp and 443/udp as http for use with HTTP/3 and QUIC
Summary: Declare ports 80/udp and 443/udp as http for use with HTTP/3 and QUIC
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-05-03 19:53 UTC by Felix Kaechele
Modified: 2024-05-03 21:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Felix Kaechele 2024-05-03 19:53:36 UTC
HTTP/3 uses the QUIC protocol. QUIC is an UDP based protocol commonly used on ports 80 and 443 for HTTP/3.

Nginx 1.26.0 gained experimental support for HTTP/3 but under the current policy isn't allowed to bind to those two ports:

type=AVC msg=audit(1714750445.928:337): avc:  denied  { name_bind } for  pid=9687 comm="nginx" src=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket permissive=1

Reproducible: Always

Steps to Reproduce:
1. Install nginx 1.26.0 (either on rawhide or from updates-testing)
2. Uncomment TLS server block in default nginx.conf
3. Add "listen 443 quic reuseport;" to the TLS server block
4. Try starting nginx with SELinux set to enforcing mode



Opened a pull request here: https://github.com/fedora-selinux/selinux-policy/pull/2109


Note You need to log in before you can comment on or make changes to this bug.